Adware Doctor, the top paid utility application on the Mac App Store, is logging the program history of users and sending it to a server in China.
Patrick Wardle, the chief research officer at Digita Security and founder of Mac security company Objective-See, says that he reported the app to Apple a month ago, but it is still accessible for download in the Mac App Store at present.
The app was initially up as Adware Medic, an app owned by Malwarebytes, driving Apple to pull it off. But when it changed its name to Adware Doctor, Apple permitted it once again to go live on the app store.
Wardle diagnosed the app to discover what it was doing, in the after it was put on a red list by Privacy first.
He found that the app creates a secret password secured archive called history.zip, which it transfers to a server in China. Wardle found that the password used to encrypt it was hard-coded, which let him open the zip document where he found browsing history from Google Chrome, Mozilla Firefox, and Apple's native browser Safari.
Wardle takes note that sandboxing should forestall Mac apps gaining permission to read data from different apps, but that Adware Doctor asks for widespread access when it first runs. Considering it's a malware scanning app, asking for universal permission wouldn't seem to be suspicious. However, he found that the app was ready to get to running services and process, something that sandboxing should at present anticipate and block.
Incidentally, he found that the app dodges this by using Apple's own code.
It's (likely) just a copy and paste of Apple's GetBSDProcessList code (found in Technical Q&A QA1123 "Getting List of All Processes on Mac OS X"). Apparently, this is how one can get a process listing from within the application sandbox! I'm guessing this method is unsanctioned (as it clearly goes against the design goals of sandbox isolation). And yes, rather amusing the code Adware Doctor uses to skirt the sandbox, is directly from Apple!" says a post at Objective-See, which explores the matter extensively.
The app additionally logs the apps you've downloaded and their source.
As of the time of writing this story, the server gathering the information is logged off, mostly because of the coverage it has now gotten. However, it wouldn't take much to reactivate it.
Wardle says his greatest concern is the reason Apple has left the malware in the Mac App Store a month after he cautioned the company to his discoveries.
Apple states that the "safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it's accepted by the store, and if there's ever a problem with an app, Apple can quickly remove it from the store." However, much of it is debatable now as the app bypasses the imposed security standards and is available to download even after the vulnerability has been identified, which is quite alarming.
